Skip to main content
العربية
Menu

FAQ

Is the public catalogue really free, forever?

Yes. The image binaries on images.rasid.cc are released under Apache 2.0. We are not going to introduce a per-pull fee, a per-image fee, or a “free for non-commercial use” carve-out. The catalogue is the marketing for the enterprise tier, and the enterprise tier is what funds the work.

Why Apache 2.0 and not BSD or MIT?

Apache 2.0 gives downstream users an explicit patent grant and a clear redistribution and NOTICE-attribution framework. It is the same licence the major foundations use for their critical infrastructure projects. We picked it because it is the friendliest licence for enterprise procurement.

Is Rasid an open-source project?

No. Rasid is a Saudi sovereign hardened-image vendor. The binaries we publish at images.rasid.cc are Apache 2.0 licensed — free to pull, free to redistribute under the licence’s NOTICE-attribution terms. The build pipeline, signing infrastructure, and internal tooling that produce those binaries are proprietary, operated by Rasid. There is no public source mirror.

The upstream open-source we consume — Wolfi, Sigstore, in-toto, CycloneDX, SPDX — is genuinely open source, and we attribute it in our NOTICE files.

How is “hardened” different from the upstream image?

Three things:

  1. Minimal surface. Only the packages the runtime needs. No shells, no package managers, no unrelated binaries in the production tag.
  2. Active patching. Daily rebuilds against the latest advisory data — see Image lifecycle.
  3. Provable supply chain. Cosign signatures, SBOMs, and in-toto attestations on every image — see Signature verification.

Where is the registry hosted?

images.rasid.cc is operated by Rasid from infrastructure in our chosen region. The website is static and content-distributed via Cloudflare. The registry serves content directly.

Where is customer data stored?

For the public catalogue there is no customer data. We do not require an account.

For enterprise customers, all customer data — sales contracts, support tickets, custom-build sources — stays within Saudi residency. See the privacy notice.

Do you collect analytics on this site?

No third-party analytics, no third-party trackers. We may aggregate request counts from the registry to publish public download numbers, but those counts are not joined to any identity.

How do I report a security issue with one of your images?

Email [email protected]. See security.txt for the full disclosure policy and PGP key fingerprint.

Can I request a new image or a fix?

Yes. For the public catalogue: email [email protected] with the image or fix you want. We triage requests and prioritise based on user demand. We do not run a public issue tracker or accept external pull requests against the build pipeline — the pipeline is proprietary.

For enterprise customers: feature requests come through your account contact, prioritised against your support contract.

Does Rasid offer support?

The public catalogue is “as-is” under Apache 2.0. Support contracts with named SLAs are part of the enterprise tier.